Filtering a Data Packet by Means of a Network Filtering Device

ABSTRACT

There is a need for coupling, for example within an automation area, particularly critical subareas with less critical subareas of the automation area. The invention relates to a method and a network filtering device for filtering a data packet between a first network and a second network. According to the invention, a data packet is checked several times in parallel by means of a multiplier and a plurality of filtering devices.

The invention relates to a method and a network filter device forfiltering a data packet between a first network and a second network.

Network boundaries have what are known as security gateways or firewallsinstalled at them in order to produce controlled coupling of differentnetwork areas. In this case, the network traffic is filtered, so thatonly admissible network traffic is allowed to pass. It is known practiceto integrate such a security gateway on a terminal as a personalfirewall. In particular, this monitors coupling of differently criticalnetwork areas, “differently critical” meaning, by way of example, thatother, e.g. more stringent, demands are made on a data packet that is tobe processed in a network.

In industrial automation systems, such as, by way of example, within thecontext of railway automation in a signal box or in the case of traincontrol, within the context of production automation in a productionhall or within the context of process automation operations, for examplein refineries or breweries, critical automation areas are coupled togeneral networks, e.g. an office network, apropos of functional safety.In this case, firewalls are used and configured such that only permittednetwork traffic can pass. Data communication is filtered in accordancewith a configurable network security policy in this case, so that onlyadmissible data traffic is forwarded. It is also possible, within anautomation area, for particularly critical subareas to be coupled toless critical subareas of the automation area via a security gateway ora firewall. It this thus possible, by way of example, for asafety-critical automation subarea to be coupled to a general automationsubarea. In particular, it is also possible for two respectivelyrealtime-critical automation subareas to be coupled.

In this case, it is of great importance for a firewall that is faulty,i.e. that allows banned data packets to pass, to be identified. Reasonsfor faulty operation may be errors in the implementation or in theconfiguration of the firewall, or as a result of the firewall beingcompromised by an external attack. Such malfunctions need to beidentified and need to be prevented as far as possible.

Within the context of IT environments, firewalls are available that areof multistage design. This involves multiple, independent securitycomponents being connected in series, such as first of all a packetfilter and then an application level gateway, for example, so thatinadmissible network traffic is blocked if at least one component blocksthis traffic. As a result, an error in a firewall implementation doesnot yet lead to inadmissible network traffic being able to pass andtherefore represents an increased security level for security-relevantenvironments in which no safety criteria or realtime criteria need to besatisfied.

The patent application DE 10 2011 007387 discloses the practice ofimplementing self-monitoring of a gateway. This involves checkingwhether a corresponding incoming data packet has been received for anoutgoing data packet. As a result, it is possible to ensure that agateway does not itself produce data packets on account of amalfunction.

A publication by the Infineon company discloses a safety computingplatform in which a safety monitor circuit monitors a main processor andthe software execution on the main processor. In particular, it canperform tests vis-à-vis fixed test patterns and compare results from twoindependent executions. In this regard see also the article on the webpagehttp://www.infineon.com/dgdl/Safety-Computing-Platform-XC2300-CIC61508-Product-Brief.pdf?folderId=db3a304317a748360117f45a9c863e84&fileId=db3a3043353fdc16013543303497315d, called up on Sep. 18, 2013.

A network tap is known as a generally known network component in orderto be able to listen in to transmitted data without the transmitted databeing influenced. They are generally used for network monitoring inwhich, by way of example, quality of service parameters for throughoutor latency are not meant to be influenced by the measurement. Thefunction of a network tap can be provided by a switch that not onlyforwards a data packet but additionally copies it to a monitoring port.This is also referred to as port mirroring, see the publication athttp://www.tamos.com/htmlhelp/monitoring/monitoringusingswitches.htm,called up on Sep. 18, 2013.

There is a need to provide improved filtering between two differentnetwork areas. Particularly when realtime-critical networks areinvolved, there are stringent demands on latency or throughput of thedata traffic. It is therefore an object of the present invention toprovide more efficient and improved filtering of a data packet.

This object is achieved according to the method and the networkfiltering device according to the independent claims. Advantageousembodiments are specified in the subclaims.

According to the invention, a method for filtering a data packet bymeans of a network filter device between a first network and a secondnetwork has the following steps:

-   -   multiplication of the data packet by a multiplication unit to        produce a first data packet and at least one second data packet,        wherein a content of the data packet is produced identically in        the first data packet and at least in the second data packet;    -   forwarding of the first data packet to a first filter device and        at least of the second data packet to a second filter device;

checking of the first data packet by the first filter device and atleast of the second data packet by the second filter device according torespective filter specifications;

-   -   production and transmission of a first filter result by the        first filter device and at least of a second filter result by        the second filter device to a comparison unit;    -   blocking of forwarding of the data packet between the first        network and the second network if the comparison unit        identifies, on the basis of the first filter result and at least        the second filter result, a comparison result that deviates from        a tolerance range.

In the present application, a network filter device is understood tomean, by way of example, a component at a coupling point between twonetworks that checks all passing data traffic. The network filter devicecomprises at least two filter devices, also called firewalls. Theprescribing of filter specifications is used to configure the filterdevices and hence the network filter device. The filter specificationstherefore stipulate rules according to which a data packet is checked.

The multiplication unit used is a splitting switch, for example. By wayof example, a packet received at a port of the multiplication unit istransmitted to two ports, via which a filter device is connected. Thisdoubles the data packet. The content of the data packet is obtained ineach case. The step of multiplication may therefore involve doubling,tripling, etc.

By way of example, the first network may be a nonsecure network, whereasthe second network may be a network within which it is necessary to takeinto account demands on the realtime capability of a system.

In the application that follows, a comparison unit is understood to meana component that can check a packet or multiple packets within a queuefor a similarity with another packet or a queue of packets that are madeavailable to the comparison unit at a second port. This can involve twodata packets being established as identical. In addition, a tolerancerange can be prescribed that indicates discrepancies between two datapackets that are nevertheless meant to be classified as identical.Hence, bit errors that are present in one of the filter results, forexample as a result of the one of the filter devices, are rated as acomparison result that is within the tolerance range. The comparisonunit can also be referred to as a combiner switch.

In the present application, a filter result denotes a packet produced bythe filter device that is transmitted to the comparison unit. This maybe the respective received data packet that is forwarded by the filterdevice, for example.

The parallel operation of multiple filter devices creates a networkfilter device that compares the filter results of the individual filterdevices in a simple manner and is therefore monitoring of the operationof the individual filter devices. The complexity for the monitoringtherefore remains very low, since only multiplication of the incomingdata packets and combination of the filter results to produce thecomparison result are necessary. The latency, i.e. the time that isneeded for the filtering of the data packet by the network filterdevice, is prescribed by the greatest latency of the filter devicesinvolved. In contrast to a design with a single firewall, it is possiblyno greater or, depending on the embodiment of a firewall installed inparallel, slightly greater.

This ensures a defined time response. If the second network is asafety-critical system, for example, then the proposed method allowsfreedom from disturbance on the safety-critical system withsimultaneously reliable filtering of incoming data packets.

According to one embodiment, the respective filter specifications areidentical and the first filter device and the second filter device areproduced with different operating systems and/or are manufactured bydifferent manufacturers. In this context, identical means that therespective filter specifications lead to the same filter result. Theymay have the same or a different syntax. In addition, a filterspecification may be designed in different ways. This will be the caseparticularly if they are produced and maintained by differentadministrators.

The double filtering therefore does not cause a complex newconfiguration. Identical filter specifications are used for filtering ineach case. The use of different operating systems or manufacturersgreatly decreases the probability of a systematic, identical error inall firewalls. The use of different operating systems spreads the riskof errors on account of an implementation. It is therefore possible tocompensate for any weaknesses there are in one of the operating systems.In addition, there may also be errors within the application software,particularly the respective firewall application. Typical sources oferror in this context are memory overflows during execution of aprogram, which can erase parts of a program code.

The choice of different manufacturers for the respective firewall can,given an identical set of rules and, in each case, sound implementation,nevertheless ensure a different implementation that firstly may havedifferent weaknesses and secondly provides different security obstaclesfrom the point of view of an attacker. It is also possible for the twofilter specifications to be produced and updated by differentadministrators. A faulty configuration for one of the two filterspecifications can be identified in this case if a data packet isadmitted only by one filter specification.

According to one development, the blocking outputs an alarm signal.

The alarm signals inconsistent filtering and can initiate automaticprecautionary measures. By way of example, responsible centers, such asa network administrator or firewall manufacturer or firewalladministrator, for example, can be notified.

According to one embodiment, the blocking blocks data traffic betweenthe first network and the second network.

By way of example, it is possible—independently of or together withoutput of an alarm signal—for network connections to be interrupted or afirewall to be shut down that has allowed more data packets to pass incomparison with another firewall.

According to one embodiment, the blocking is performed if the firstfilter result and the second filter result are transmitted at aninterval of time and the interval of time is outside a prescribeabletime period.

Hence, a maximum time span is prescribed within which a packet that ismade available at one of the ports of the comparison unit can still beused for collation with a packet previously received at the other port.

According to one development, the first filter result transmitted is thefirst data packet and/or the second filter result transmitted is thesecond data packet if the respective data packet is identified as validon the basis of the respective filter specification.

The classification as a valid data packet is stipulated using the filterspecifications. If, by way of example, the filter specificationsindicate an IP address range that is meant to result in a classificationas an invalid data packet, then the destination IP address of theincoming data packet is collated with the prescribed IP address range,for example, and the data packet is identified as valid if the IPdestination address is not part of the IP address range.

If the respective data packet is identified as valid, it is thus merelyforwarded. That is to say that it is not altered. Apart from a biterror, it may be identical to the incoming data packet.

According to one embodiment, the first filter result transmitted is nota packet if the respective data packet is identified as invalid on thebasis of the respective filter specification. In this case, therespective filter device that, on account of the configuration of thefilter specification, identifies the data packet as not valid, i.e. asinvalid, therefore does not forward a packet. Hence, the comparison unitobtains a filter result particularly from one or more filter devices anddoes not obtain a filter result particularly from one or more filterdevices that identify the respective data packet as invalid.

According to one embodiment, the comparison unit is presented with therespective filter result and with further filter results from asubsequently timed further check by the respective filter device, andthe comparison result is thus obtained by taking account of the furtherfilter results.

The comparison unit, also called a packet comparator, obtains from afirst input queue of the first filter device, for example, a list ofdata packets that have been forwarded by the first filter device. Thatis to say that the first filter device has transmitted a filter resultto the data packet. From the second filter device, the packet comparatorobtains an input queue that includes fewer data packets, for example,since the second filter device has identified invalid data packets andhas not forwarded them. If the comparison unit now obtains no filterresult matching a filter result in the first input queue within aprescribed time period at the port of the second filter device, the datapacket is blocked. Even if the data packet is thus available in the formof a filter result from the first filter device and would be forwardedon the basis of the assessment or evaluation of the first filter device,the data packet is still not forwarded, since an appropriate filterresult is not delivered by the second filter device.

According to one embodiment, the first filter result transmitted and/orthe second filter result transmitted is/are a respective substitutepacket if the respective data packet is identified as invalid on thebasis of the respective filter specification.

Hence, a filter result is transmitted to the comparison unit in eachcase. When classified as a valid data packet, the filter result is thenthe original data packet that is forwarded, and, apart from any biterrors present, is identical to the received data packet. If thereceived data packet is classified as invalid, on the other hand, thenthe filter result transmitted is a substitute packet.

In particular, the transmission of a substitute packet simplifies thecollation by the comparison unit when an evaluation of the second datapacket, for example, by the second filter device takes longer than theevaluation of the first data packet by the first filter device. If apacket, namely a substitute packet in the case of a negative check, istransmitted in each case, then the absence of one of the respectivepackets to be checked means that a check is still ongoing. A cleardistinction can be drawn between late transmission and blockedtransmission.

The use of a substitute packet additionally advantageously reduces therisk of like packets being compared with one another by chance and beingforwarded by the comparison unit on the basis of a match.

The invention additionally relates to a network filter device forfiltering a data packet between a first network and a second network,comprising:

-   -   a multiplication unit for multiplying the data packet to produce        a first data packet and at least one second data packet, wherein        a content of the data packet can be produced identically in the        first data packet and at least in the second data packet, and        for forwarding the first data packet to a first filter device        and also at least the second data packet to a second filter        device;    -   the first filter device for checking the first data packet and        the second filter device for checking the second data packet        according to respective filter specifications and for        respectively transmitting a first filter result and at least one        second filter result to a comparison unit;    -   the comparison unit for blocking the data packet if, on the        basis of the first filter result and at least the second filter        result, a comparison result that deviates from a tolerance range        can be identified.

In addition, the network filter device according to one embodimentcomprises a monitoring unit for carrying out one of the method stepsaccording to the embodiments or developments cited above.

The invention is explained in more detail below using exemplaryembodiments with reference to the figures. Although the invention isillustrated and described in more detail by the exemplary embodiments,the invention is not restricted by the disclosed examples, and othervariations can be derived therefrom by a person skilled in the artwithout departing from the scope of protection of the invention.

In the figures:

FIG. 1 shows a schematic illustration of the network filter deviceaccording to a first exemplary embodiment of the invention;

FIG. 2 shows a schematic illustration of the method according to asecond embodiment of the invention;

FIG. 3 shows a schematic illustration of the network filter deviceaccording to a third exemplary embodiment of the invention.

In the figures, elements having the same function are provided with thesame reference symbols unless indicated otherwise.

FIG. 1 depicts a network filter device 100 that comprises amultiplication unit 200 and also a comparison unit 300, and also a firstfilter device FW1 and a second filter device FW2. A port of themultiplication unit 200 obtains a data packet 10 from a first networkNW1. By way of example, the first network NW1 is an office network orcompany network. In the first network NW1, there are no realtime demandsand particularly access from the Internet is possible. From the point ofview of security, there are weaknesses here. The multiplication unit 200doubles the data packet 10, for example, and produces a first datapacket 11 and also a second data packet 12. The respective content ofthe respective data packets 11, 12 is identical in this case.

The first data packet 11 is forwarded to the first filter device FW1.The first filter device FW1 is a first firewall that has configurablefilter specifications K1 or filter rules. The firewall checks theincoming first data packet 11 for demands that exist as a result of thefilter specifications K1. In particular, the first filter device FW1 hasa first filter specification K1 that prescribes an IP address range fromwhich the data packet 10 must have been sent in order for it to beclassified as valid by the first filter device FW1. In a variant, thefilter specification K1 may also prescribe admissible protocols, portnumbers or data content.

In addition, sender applications or destination applications may beprescribed that are rated as an indication of blocking that needs to beperformed for a data packet. Additionally, state data about protocolsused, such as particularly user datagram protocol or transmissioncontrol protocol, or a state of the connection setup can be stored forexisting communication links. For incoming data packets, thisinformation is taken into account during the filtering. Furthermore, thefirewall filters on the basis of information at application level, forexample. This means further analysis that allows improved appraisal ofthe data packets. In this case, a firewall operating at applicationlevel logically combines particularly IP packets and, in so doing,checks for the presence of a useful unit that is obtained as a result ofthe composition.

If the first data packet 11 meets the demands of the first filter deviceFW1, it is forwarded to a comparison unit 300 in the form of a firstfilter result R1.

In parallel therewith, the second data packet 12 is forwarded to asecond filter device FW2. The second filter device FW2 has second filterspecifications K2 that match the first filter specifications K1. Thesecond filter device FW2 is a second firewall that, by way of example,is executed on a piece of hardware with an operating system, which is adifferent operating system than that of the first filter device FW1.

If the second filter device FW2 also establishes that the second datapacket 12 meets the demands that arise from the second filterspecification K2, then the second filter device FW2 also outputs asecond filter result R2 in the form of the forwarded second data packet12 and sends it to the comparison unit 300. The comparison unit 300 isthen provided with the first filter result R1 and the second filterresult R2 in a juxtaposition, for example a table.

If the comparison unit 300 identifies a match between the first filterresult R1 and the second filter result R2, particularly because therespective data packets 11 and 12 produced by the multiplication unit200 have been forwarded without alteration and hence are identical, thena checked data packet 10′ is forwarded to the second network NW2. Inthis case, the first filter result R1 or the second filter result R2 canbe forwarded as data packet 10′.

The second network NW2 is a safety-critical automation network withinthe context of process automation. Demands that are made on data thatare transmitted to the second network NW2 externally are very high,since the data set operating states, for example. In the event of amalfunction in a firewall that is a coupling point to an externalnetwork, it would therefore be possible for configurations to be setthat endanger dependability within an installation, for example.

If at least one of the respective filter devices FW1, FW2 classifies therespective data packet 11, 12 as invalid, transmission of the respectivefilter result R1, R2 is prevented. The comparison unit 300 is thereforeunable to associate a corresponding filter result R2 with the firstfilter result R1, in particular. In this case, the data packet 10 isblocked.

The comparison unit 300, also called a packet comparator, does not justconsider one entry at a time from the respective input queue of therespective filter device FW1, FW2, but rather compares multiple entriesin each case, i.e. filter results that have been filtered and forwardedin a time sequence by the respective filter device FW1, FW2. As soon asan identical packet is included in both queues, the packets also beingable to be situated at different positions within the queue, it isremoved from the queue and sent to the port connected to the secondnetwork NW2. In this case, two filter results R1, R2 can be identifiedas an identical packet if, apart from bit errors, there is a match inthe data.

Hence, it is advantageously also possible for a change in the order ofthe respective data packets 11, 12 that are to be filtered to be made bythe respective filter device FW1, FW2. This may be prescribed on thebasis of realtime demands. It is thus possible for the order of therespective data packets 11, 12 that have been transmitted to therespective filter device FW1, FW2 not to match the order of theassociated filter results. This may be the case particularly as a resultof prioritization that is performed by the respective filter device FW1,FW2. By way of example, prioritization may be advantageous if realtimedemands on the data traffic exist and therefore the respective filterdevice FW1, FW2 prefers to check a specifically denoted data packet.

In particular, when multiple respective filter results R1, R2 arecollated, for example in the case of 2, 3, 5 or 8 entries per queue, itis advantageous to additionally prescribe a time period within which thecollation of the respective filter results R1, R2 needs to be performed.After this time period has elapsed, the data packet 10 is not forwardedand the respective filter result entry is removed from the list.

For implementations for which prioritization of the respective datapackets 11, 12 is important, it is advantageous to set up multipleoutput queues and input queues at the respective interface to therespective filter device FW1, FW2. The comparison by the comparison unit300 can then be performed per input queue, with each queue representinga different quality of service class, for example.

FIG. 2 shows a schematic flowchart for an application of the methodaccording to a second exemplary embodiment of the invention.Multiplication 1 of the data packet by a multiplication unit to producea first data packet and at least one second data packet is followed bythe forwarding 2. The forwarding 2 involves both the first data packetproduced by the multiplication unit being forwarded to a first filterdevice and the second data packet produced by the multiplication unitbeing forwarded to a second filter device.

There then follows checking 3 of the first data packet by the firstfilter device and checking 3 of the at least one second data packet bythe second filter device. Finally, there follows the production of arespective filter result and transmission 4 of the respective filterresult to a comparison unit.

The steps of forwarding 2, checking 3 and production and transmission 4are performed in parallel methods. In this case, parallel means thatmethod steps are performed that are performed by components arranged inparallel in the process. This involves a component being categorized inthe network filter device according to the operation of said component,that is to say its logical categorization.

In addition, parallel means that the steps are carried outsimultaneously, that is to say at parallel times in relation to oneanother, in a time sequence.

The step of production and transmission 4 of the respective filterresult is followed by the blocking 5 of the data packet if thecomparison unit identifies, on the basis of the first filter result andat least the second filter result, a comparison result that deviatesfrom a tolerance range.

For a comparison result that lies within the tolerance range andtherefore indicates a valid data packet that has not been filtered outby both firewalls, provision 6 of a checked data packet for the secondnetwork takes place.

FIG. 3 shows how, according to a third exemplary embodiment of theinvention, a splitting/combiner switch 400 comprises the multiplicationunit 200 and also the comparison unit 300. In addition, an interfaceIFNW to the first network and also to the second network is shown. Fromthere, the splitting/combiner switch obtains the data packet 10 to befiltered, particularly from a realtime-critical automation subarea. Thefirst data packet 11 produced by the multiplication unit 200 is sent toa first filter device via a first filter interface IFFW1. For thepurpose of sending, it is stored on the first filter interface IFFW1 inan output queue. A filter result R1 provided by the first filter deviceis stored in the input queue Q1 of the first filter interface IFFW1.

The process is carried out in a corresponding manner for the second datapacket 12 on a second filter interface IFFW2 to a second filter device.There, a filter result R2 is stored in the respective input queue Q2. Ifthe second device establishes that a second data packet 12 is invalid,it delivers a second substitute packet SR2 as filter result R2. Thecomparison unit 300 or what is known as the packet comparator is thenpresented with two filter results R1, R2 that do not match, since thesubstitute packet SR2 is a standardized packet denoted by the secondfilter device.

The filter interfaces IFFW1, IFFW2 may be implemented as a localinterface, for example as an SPI interface, PCI interface, USB interfaceor Ethernet interface. They may likewise be implemented as remoteinterfaces, with the respective data packet 11, 12 and the respectivefilter results R1, R2, SR1, SR2 being transmitted via an internetconnection, e.g. an HTTP connection or a TCP connection. In this case,the filter interfaces IFFW1, IFFW2 may be implemented in an identicalmanner or in different manners.

The comparison unit has a tolerance range available within which, in theevent of discrepancies in the respective filter results R1, R2, acomparison result is identified on the basis of which the data packet isstill forwarded.

On the basis of collation of the first data packet 11, which isforwarded by the first filter device, as a first filter result R1 withthe second substitute packet SR2, which is provided by the second filterdevice, a comparison result is available that does not lie within thetolerance range. The data packet 10 is not forwarded to a second,likewise realtime-compatible, automation subarea.

If, in a variant, the first filter device also identifies the first datapacket 11 as invalid, then the first filter result R1 is a firstsubstitute packet SR1. The first substitute packet SR1 is denoted by thefirst filter device, and the comparison result from the collation of thefirst substitute packet SR1 with the second substitute packet SR2 liesoutside the tolerance range.

Advantageously, the use of a substitute packet reduces the risk of likepackets that are sent in succession being forwarded by chance, even ifone of the installed filter devices does not forward the packet. If, byway of example, the first filter result R1 provided is a packet P1 andif the second filter device blocks the forwarding and does not provide asubstitute packet, then the comparison of the first filter result R1 iscollated opposite a subsequent second filter result R2, for example,that arose from subsequent filtering of a data packet sent later. If itis now by chance a packet P2 that is identical to the first packet P1,then the blocking by the second filter device would not be identified.

In this case, two respectively realtime-critical automation subareas arecoupled to one another. This involves the presented network filterdevice being used to check a data packet multiple times in parallel,which increases robustness without any substantial additional timedelay.

In a variant, the comparison unit 300 outputs an alarm signal A if thecomparison unit 300 is provided with a substitute packet SR1, SR2 by atleast one of the filter devices. In particular, the forwarding of thedata packet 10 can be blocked if all filter devices involved provide asubstitute packet. In this case, an alarm signal A can be omitted, sincethe network filter device with all of its filter devices involved isthen acknowledged as operating correctly.

In a variant, the network filter device prompts notification of amonitoring system on the basis of the alarm signal. As a result, anemergency signal can be output that, by way of example, prompts thecheck by a service personnel or by a monitoring component of aninstallation, for example within the second network.

The respective units such as network filter device, multiplication unit,the respective filter device, comparison unit and also the monitoringunit may be implemented in hardware and/or even in software. Animplementation in hardware can involve the respective unit being in theform of an apparatus or in the form of part of an apparatus, for examplein the form of a computer or in the form of a microprocessor. Animplementation in software can involve the respective unit being in theform of computer program product, in the form of a function, in the formof a routine, in the form of part of a program code or in the form of anexecutable object.

1. A method for filtering a data packet (10) by means of a networkfilter device (100) between a first network (NW1) and a second network(NW2), having the following steps: multiplication (1) of the data packet(10) by a multiplication unit (200) to produce a first data packet (11)and at least one second data packet (12), wherein a content of the datapacket (10) is produced identically in the first data packet (11) and atleast in the second data packet (12); forwarding (2) of the first datapacket (11) to a first filter device (FW1) and at least of the seconddata packet (12) to a second filter device (FW2); checking (3) of thefirst data packet (11) by the first filter device (FW1) and at least ofthe second data packet (12) by the second filter device (FW2) accordingto respective filter specifications (K1, K2); production andtransmission (4) of a first filter result (R1) by the first filterdevice (FW1) and at least of a second filter result (R2) by the secondfilter device (FW1) to a comparison unit (300); blocking (5) offorwarding of the data packet (10) between the first network (100) andthe second network (200) if the comparison unit (300) identifies, on thebasis of the first filter result (R1) and at least the second filterresult (R2), a comparison result that deviates from a tolerance range.2. The method as claimed in claim 1, wherein the respective filterspecifications (K1, K2) are identical and the first filter device (FW1)and the second filter device (FW2) are produced with different operatingsystems and/or are manufactured by different manufacturers.
 3. Themethod as claimed in claim 1 or 2, wherein the blocking (5) outputs analarm signal (A).
 4. The method as claimed in one of the precedingclaims, wherein the blocking (5) blocks data traffic between the firstnetwork (NW1) and the second network (NW2).
 5. The method as claimed inone of the preceding claims, wherein the blocking (5) is performed ifthe first filter result (R1) and the second filter result (R2) aretransmitted at an interval of time and the interval of time is outside aprescribeable time period.
 6. The method as claimed in one of thepreceding claims, wherein the first filter result (R1) transmitted isthe first data packet (11) and/or the second filter result (R2)transmitted is the second data packet (12) if the respective data packet(11, 12) is identified as valid on the basis of the respective filterspecification (K1, K2).
 7. The method as claimed in one of the precedingclaims, wherein the first filter result (R1) transmitted is not a packetif the respective data packet (11, 12) is identified as invalid on thebasis of the respective filter specification (K1, K2).
 8. The method asclaimed in one of claims 1 to 6, wherein the first filter result (R1)transmitted and/or the second filter result (R2) transmitted is/are arespective substitute packet (SR1, SR2) if the respective data packet(11, 12) is identified as invalid on the basis of the respective filterspecification (K1, K2).
 9. The method as claimed in one of the precedingclaims, wherein the comparison unit (300) is presented with therespective filter result (R1, R2) and with further filter results from asubsequently timed further check by the respective filter device (FW1,FW2), and the comparison result is thus obtained by taking account ofthe further filter results.
 10. A network filter device (100) forfiltering a data packet (10) between a first network (NW1) and a secondnetwork (NW2), comprising: a multiplication unit (200) for multiplying(1) the data packet (10) to produce a first data packet (11) and atleast one second data packet (12), wherein a content of the data packet(10) can be produced identically in the first data packet (11) and atleast in the second data packet (12), and for forwarding the first datapacket (11) to a first filter device (FW1) and also at least the seconddata packet (12) to a second filter device (FW2); the first filterdevice (FW1) for checking (3) the first data packet (11) and the secondfilter device (FW2) for checking (3) the second data packet (12)according to respective filter specifications (K1, K2) and forrespectively transmitting a first filter result (R1) and at least onesecond filter result (R2) to a comparison unit (300); the comparisonunit (300) for blocking (5) the data packet (10) if, on the basis of thefirst filter result (R1) and at least the second filter result (R2), acomparison result that deviates from a tolerance range can beidentified.
 11. The network filter device (100) as claimed in claim 10,additionally comprising a monitoring unit for carrying out one of themethod steps as claimed in claims 3 to 5.